[release-branch.go1.26] cmd/go/internal/work: sanitize flags before invoking 'pkg-config'

The addition of CgoPkgConfig allowed execution with flags not matching the safelist. In order to prevent potential arbitrary code execution at build time, ensure that flags are validated prior to invoking the 'pkg-config' binary. Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. Fixes CVE-2025-61731 Fixes #77100 Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3240 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3324 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/736706 Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> TryBot-Bypass: Michael Pratt <mpratt@google.com>
author: Neal Patel <nealpatel@google.com> 2025-12-04 12:30:39 -0500
committer: Gopher Robot <gobot@golang.org> 2026-01-15 10:14:36 -0800
commit: 6ed1ff80d68b3e6de9366f65038a43eede049a4a (patch)
tree: a5c4e5fdc178e65748bea1d5166f8cf4869a6bd3
parent: 29f3f72dbd67c25033df944c8ced91e0efd46851 (diff)
download: go-6ed1ff80d68b3e6de9366f65038a43eede049a4a.tar.xz
2 files changed, 9 insertions, 0 deletions
diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
index f2d1b1040b..311e961308 100644
--- a/src/cmd/go/internal/work/exec.go
+++ b/src/cmd/go/internal/work/exec.go
@@ -1788,6 +1788,14 @@ func (b *Builder) getPkgConfigFlags(a *Action, p *load.Package) (cflags, ldflags
 				return nil, nil, fmt.Errorf("invalid pkg-config package name: %s", pkg)
 			}
 		}
+
+		// Running 'pkg-config' can cause execution of
+		// arbitrary code using flags that are not in
+		// the safelist.
+		if err := checkCompilerFlags("CFLAGS", "pkg-config --cflags", pcflags); err != nil {
+			return nil, nil, err
+		}
+
 		var out []byte
 		out, err = sh.runOut(p.Dir, nil, b.PkgconfigCmd(), "--cflags", pcflags, "--", pkgs)
 		if err != nil {
diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
index ffa83e0591..80b3f8797c 100644
--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
@@ -129,6 +129,7 @@ var validCompilerFlags = []*lazyregexp.Regexp{
 	re(`-pedantic(-errors)?`),
 	re(`-pipe`),
 	re(`-pthread`),
+	re(`--static`),
 	re(`-?-std=([^@\-].*)`),
 	re(`-?-stdlib=([^@\-].*)`),
 	re(`--sysroot=([^@\-].*)`),
author	Neal Patel <nealpatel@google.com>	2025-12-04 12:30:39 -0500
committer	Gopher Robot <gobot@golang.org>	2026-01-15 10:14:36 -0800
commit	6ed1ff80d68b3e6de9366f65038a43eede049a4a (patch)
tree	a5c4e5fdc178e65748bea1d5166f8cf4869a6bd3
parent	29f3f72dbd67c25033df944c8ced91e0efd46851 (diff)
download	go-6ed1ff80d68b3e6de9366f65038a43eede049a4a.tar.xz